Throughout the last 6 weeks, Websense® Security Labs™ has been collecting telemetry from our Websense ThreatSeeker® Intelligence Cloud to provide insight into usage of the most recent version of Java. Following our March 2013 study that looked at what versions of Java are being used, we saw that almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild.
Since the April 16 Java Critical Patch Update was released by Oracle, we also noticed that businesses have been slow to apply the Version 7 Update 21 patch into their environment. Based on our analysis, we identified the following trends:
- 2 days after the release of the patch, less than 2% of users had adopted Java SE Version 7 Update 21.
- After a full week, the average adoption of the newest version of Java was at less than 3%.
- 2 weeks after the newest Java version was released, the trend line had moved to a little over 4%.
- One month after release, the number of live web requests using the most recent version of Java was only around 7%.
So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild. Remember that the April 2013 Java Critical Patch Update contained 42 new security fixes, of which 39 may be remotely exploitable without authentication. We saw that on April 20, 2013, to illustrate the danger of just one of these 39 remote execution vulnerabilities, Metasploit published a module to exploit a vulnerability in CVE-2013-2423. We have observed this particular exploit code incorporated into exploit kits and used in the wild. Not only that, but we are also monitoring the possible impact of a recent vulnerability disclosure affecting the Java SE Version 7 Update 21 itself.
Our investigations further revealed that the busiest period of patch adoption was during the second week after release, and that adoption is continuing although at a slower rate. As news spreads of an available patch (via word of mouth or as the Java Auto Updater notifies users), we've noted that some organizations are then more willing to apply the patch.
Oracle is planning to release a Critical Patch Update for Java SE on June 18, 2013. Are you prepared for that?
If you are still in the 93% that have yet to apply the available patch, we, along with Oracle, strongly recommend that you consider applying it to your environment as soon as possible.
Acknowledgement: Thank you to Armin Buescher for his research.